AWS DMS S3 Endpoint SSE-KMS (InvalidParameterCombinationException)

Question

Trying to use Lambda/Boto3 to modify an endpoint.

According to documentation:

response = client.modify_endpoint(
    EndpointArn='string',
    S3Settings={
        'EncryptionMode': 'sse-s3'|'sse-kms',
        'ServerSideEncryptionKmsKeyId': 'string',
   }

However, when I set 'sse-kms' and pass my KeyID, I am getting this error back :

[ERROR] ClientError: An error occurred (InvalidParameterCombinationException) when calling the ModifyEndpoint operation: Only SSE_S3 encryption mode supported. Traceback (most recent call last): File "/var/task/main.py", line 16, in main response = client.modify_endpoint( File "/var/runtime/botocore/client.py", line 316, in _api_call return self._make_api_call(operation_name, kwargs) File "/var/runtime/botocore/client.py", line 635, in _make_api_call raise error_class(parsed_response, operation_name)

Here's my full Lambda:

def main(event,context):
 
    client = boto3.client('dms')

    response = client.modify_endpoint(
        EndpointArn = 'arn:aws:dms:us-east-1:123456789012:endpoint:xxxxxxxxxxxxxxxxxxxxxxxxxxxx',
        ExtraConnectionAttributes = 'cdcPath=undefined',
        S3Settings = {
            'CompressionType': 'none', 
            'DataFormat': 'parquet', 
            'EncryptionMode': 'sse-kms', 
            'ServerSideEncryptionKmsKeyId': 'arn:aws:kms:us-east-1:772631637424:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
        }
    )

Answer 1

It looks like you have created or your existing endpoint EncryptionMode is set to SSE_S3. As per this doc it is not possible for you to change from SSE_S3 to SSE_KMS.

For the ModifyEndpoint operation, you can change the existing value of the EncryptionMode parameter from SSE_KMS to SSE_S3. But you can’t change the existing value from SSE_S3 to SSE_KMS.